MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 7
| SHA256 hash: | b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5 |
|---|---|
| SHA3-384 hash: | ca2046c9b0fe309e43ae3c8b4863cbd7dc17d0fa099badf6b9fd72802456e6278b0b4b816f65870be9b49909b4ba288c |
| SHA1 hash: | 3b6efbcb9cbb7bd1252c8b0b115a806e1392d649 |
| MD5 hash: | 0a5b515f5374d3e5079a0f9bf17d3241 |
| humanhash: | cardinal-vegan-spaghetti-india |
| File name: | b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5 |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 934'912 bytes |
| First seen: | 2020-11-11 11:17:05 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 6cea15fcbfd6616496bbe80d9d9d0796 (26 x Loki, 25 x AgentTesla, 10 x ISRStealer) |
| ssdeep | 12288:oiK9ODgpsN+4ZJ9ZnX9kx7Dgv42FuIvGNKj31NxC9PgwKBnLiLLgiHGXVIb1F:oiHusN+GRXiN2FuI+NKj0ewKN4/C+n |
| TLSH | A9159E22ADA05837C523353DCC0F5A649F25BF313929A9862BFD3D0F5F79A4178252A3 |
| Reporter |  seifreed |
| Tags: | AgentTesla |
Intelligence
File Origin
# of uploads :
1
# of downloads :
55
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching the process to change network settings
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.LokiBot
Status:
Malicious
First seen:
2020-11-11 11:19:50 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5
MD5 hash:
0a5b515f5374d3e5079a0f9bf17d3241
SHA1 hash:
3b6efbcb9cbb7bd1252c8b0b115a806e1392d649
SH256 hash:
98a617d0adab1d5a57d383b1dfa871e301f431819cd2af1aed61bec6044ec36f
MD5 hash:
1b011b9628f949b8f76ee8a29ff4225d
SHA1 hash:
d02e16ecf0cb52bd1d54eecc3facdcc34c105581
Detections:
win_agent_tesla_w1
Parent samples :
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5
4f7f5917d40bbc372c64653858938d7e9255f2a4800215c8c0c2ea839566cda9
c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f
6bdcd8e2956d4c754f9ecedeb22fa1121f3f3d6f41a9dba35cdc59ce6da6c0e9
ece55bf60d34d3e75131e7c4a2f5c082f2d5e57bd0f97a54c89dfaff156d081d
b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5
4f7f5917d40bbc372c64653858938d7e9255f2a4800215c8c0c2ea839566cda9
c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f
6bdcd8e2956d4c754f9ecedeb22fa1121f3f3d6f41a9dba35cdc59ce6da6c0e9
ece55bf60d34d3e75131e7c4a2f5c082f2d5e57bd0f97a54c89dfaff156d081d
SH256 hash:
51ee68fa552fafd5bc2aa957997da156342e768dff755d8daddd7548304b6612
MD5 hash:
e530ca4f8ea0786dfec333e0c14100ca
SHA1 hash:
629d78808d0f32e1faf7dc913cf88a14e941955c
Detections:
win_agent_tesla_w1
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AgentTesla_extracted_bin |
|---|---|
| Author: | James_inthe_box |
| Description: | AgentTesla extracted |
| Rule name: | AgentTesla_mod_tough_bin |
|---|---|
| Author: | James_inthe_box |
| Reference: | https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/ |
| Rule name: | Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | agent_tesla_2019 |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | CAP_HookExKeylogger |
|---|---|
| Author: | Brian C. Bell -- @biebsmalwareguy |
| Reference: | https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar |
| Rule name: | MALWARE_Win_AgentTeslaV2 |
|---|---|
| Author: | ditekSHen |
| Description: | AgenetTesla Type 2 Keylogger payload |
| Rule name: | MALWARE_Win_AgentTeslaV3 |
|---|---|
| Author: | ditekSHen |
| Description: | AgentTeslaV3 infostealer payload |
| Rule name: | win_agent_tesla_w1 |
|---|---|
| Author: | govcert_ch |
| Description: | Detect Agent Tesla based on common .NET code sequences |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.